User profile

The user profile configuration contains the settings required to manage the user data stored in the user registry.

Steps

  1. From the top menu, go to AAC > Manage > SCIM Configuration.

  2. Click User Profile.

  3. Modify the following settings as needed.

      LDAP Server
      This LDAP server connection is a pointer to an LDAP server connection that has been defined in the Advanced Access Control server connections page. This field contains a list of the available LDAP server connections and Verify Access Runtime server connections.

      If an LDAP type is selected, it is used directly as the SCIM LDAP server. If an Verify Access Runtime type is selected, the bind details in the server connection are used along with the configured Verify Access Runtime LDAP server.Important: The selected server connection must contain the bind details for the Runtime Component LDAP server. Ensure that we configure the Runtime Component before you attempt to do this. This field is required.

      Type
      This field shows the server connection type for the selected LDAP server.If the server connection type is LDAP, the server connection is used as is. If the server connection type is Verify Access Runtime, the bind details in the server connection are used along with the configured Verify Access Runtime LDAP server. If a specific federated directory is selected using the Attribute Lookup Directory field it is used in each of the following lookup operations, otherwise the Verify Access primary user registry is used.

      • The list of available LDAP group related object classes only includes the values that are obtained from the lookup LDAP server.
      • The Group DN attribute selection on this page only includes the values obtained from the lookup LDAP server.

      • If an Verify Access Runtime server connection is selected, the list of available LDAP user related object classes only includes the values that are obtained from the lookup LDAP server.

      • If an Verify Access Runtime server connection is selected, the available LDAP attributes used in SCIM attribute mappings only includes the values that are obtained from the lookup LDAP server.

      • If an Verify Access Runtime server connection is selected, the User DN Attribute selection on this page only includes the values that are obtained from the lookup LDAP server.

      LDAP User Related Object Classes
      The LDAP object classes used to reference a user object. These values are the object classes that will be looked for when parsing the response to an LDAP subschema query. This is how the list of LDAP user attributes are determined and made available to the administrator for mapping SCIM attributes to LDAP attributes.

      This field is optional. If this field is not set, then no LDAP attributes will be available.

      Attribute Mappings
      The list of SCIM attributes and the mapped source for the attribute, either an LDAP or session attribute. We can expand an attribute to see its subattributes. The LDAP server connection and object classes settings must be set in the respective fields before any LDAP attributes are made available.

      Enforce Password Policy
      This checkbox controls whether password updates that are using the standard password SCIM attribute takes place as the administrative user or the end user. Password policy is typically only enforced in the user registry when the password is updated by the end user. Select this checkbox only if users have the necessary permissions to change their own passwords in the user registry and the user registry does not enforce password policy when a user password is changed by an administrative user. If there is an update that includes both password and passwordNoPolicy attributes, the passwordNoPolicy takes precedence and the password is ignored.

      Search Suffix
      This field contains the user suffix from which LDAP search operations commences. This field is not required if an Verify Access runtime connection is selected. In this case each of the supported suffixes from the configured directories are searched. The exception to this is that if Verify Access integration is enabled then the search suffix is required.

      User Suffix

      This field contains the suffix that houses any users created through the SCIM interface.

      User DN Attribute
      This field contains the DN attribute used to create users. The User Profile LDAP server connection and object classes settings must be set in the respective fields before any LDAP attributes are made available.

      Attribute Lookup Directory
      This field shows the federated directory used to retrieve the list of supported LDAP object classes and attributes associated with those object classes. The field is only visible if an Verify Access Runtime server connection is selected. The drop-down will then be populated with the list of configured federated directories. An empty selection results in the primary LDAP server being used.

  4. Click Save to save the changes. Due to the caching of configuration data within the runtime, it might take up to 30 seconds before any deployed configuration changes become active.

Parent topic: SCIM configuration